From: martin@martinorr.name (Martin Orr) Date: Wed, 1 Oct 2008 00:15:56 +0100 Subject: [refpolicy] debian policy patch In-Reply-To: <200809292032.13348.russell@coker.com.au> References: <200809292032.13348.russell@coker.com.au> Message-ID: <20080930231556.GA5575@caligula.martinorr.name> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Sep 29, 2008 at 08:32:12PM +1000, Russell Coker wrote: > The attached patch against the latest subversion tree strictly applies to > Debian related things. > > -- > russell at coker.com.au > http://etbe.coker.com.au/ My Blog > > http://www.coker.com.au/sponsorship.html Sponsoring Free Software development > diff -ruw policy/modules/admin/acct.fc /tmp/new-pol/modules/admin/acct.fc > --- policy/modules/admin/acct.fc 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/acct.fc 2008-09-29 20:15:54.000000000 +1000 > @@ -5,4 +5,9 @@ > > /usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) > > +ifdef(`distro_debian',` > +/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) > +', ` > /var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) > +') > + > diff -ruw policy/modules/admin/alsa.fc /tmp/new-pol/modules/admin/alsa.fc > --- policy/modules/admin/alsa.fc 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/alsa.fc 2008-09-29 20:15:54.000000000 +1000 > @@ -1,9 +1,19 @@ > + > +/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) > +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) This leaves two copies of the above lines in the file. > /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) > > +ifdef(`distro_debian', ` > +/var/lib/alsa/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0) > +/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) > +/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) > +', ` > /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) > /etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) > /etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) > /etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) > +') > + > > /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) > /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) > diff -ruw policy/modules/admin/apt.fc /tmp/new-pol/modules/admin/apt.fc > --- policy/modules/admin/apt.fc 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/apt.fc 2008-09-29 20:15:54.000000000 +1000 > @@ -12,5 +12,10 @@ > /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) > /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) > > +# aptitude lock > +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) > +# aptitude log > +/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0) > + > # dpkg terminal log > /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) > diff -ruw policy/modules/admin/apt.if /tmp/new-pol/modules/admin/apt.if > --- policy/modules/admin/apt.if 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/apt.if 2008-09-29 20:15:54.000000000 +1000 > @@ -73,6 +73,25 @@ > > ######################################## > ## > +## Do not audit attempts to use file descriptors from apt. > +## > +## > +## > +## The type of the process attempting performing this action > +## which should not be audited. > +## > +## > +# > +interface(`apt_dontaudit_use_fds',` > + gen_require(` > + type apt_t; > + ') > + > + dontaudit $1 apt_t:fd use; > +') Unnecessary interface - see comment below where it's used. > + > +######################################## > +## > ## Read from an unnamed apt pipe. > ## > ## > @@ -129,6 +148,27 @@ > > ######################################## > ## > +## Read the apt package cache. > +## > +## > +## > +## The type of the process performing this action. > +## > +## > +# > +interface(`apt_read_cache',` > + gen_require(` > + type apt_var_cache_t; > + ') > + > + files_search_var($1) > + allow $1 apt_var_cache_t:dir list_dir_perms; > + dontaudit $1 apt_var_cache_t:dir write; > + allow $1 apt_var_cache_t:file read_file_perms; > +') > + > +######################################## > +## > ## Read the apt package database. > ## > ## > diff -ruw policy/modules/admin/apt.te /tmp/new-pol/modules/admin/apt.te > --- policy/modules/admin/apt.te 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/apt.te 2008-09-29 20:15:54.000000000 +1000 > @@ -30,6 +30,11 @@ > type apt_var_cache_t alias var_cache_apt_t; > files_type(apt_var_cache_t) > > +# aptitude lock file > +type apt_lock_t; > +files_lock_file(apt_lock_t) > + > +# aptitude log file > type apt_var_log_t; > logging_log_file(apt_var_log_t) > > @@ -53,6 +58,9 @@ > allow apt_t self:msgq create_msgq_perms; > allow apt_t self:msg { send receive }; > > +# Run update > +allow apt_t self:netlink_route_socket r_netlink_socket_perms; > + > # Access /var/cache/apt files > manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) > files_var_filetrans(apt_t, apt_var_cache_t, dir) > @@ -72,6 +80,14 @@ > manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) > files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) > > +# lock files > +allow apt_t apt_lock_t:dir manage_dir_perms; > +allow apt_t apt_lock_t:file manage_file_perms; > +files_lock_filetrans(apt_t, apt_lock_t, {dir file}) > + > +# log files > +allow apt_t apt_var_log_t:file manage_file_perms; > + > kernel_read_system_state(apt_t) > kernel_read_kernel_sysctls(apt_t) > > @@ -114,9 +130,15 @@ > libs_exec_lib_files(apt_t) > > logging_send_syslog_msg(apt_t) > +logging_log_filetrans(apt_t, apt_var_log_t, file) > > miscfiles_read_localization(apt_t) > > +# this is not particularly nice. > +# maybe add a type for ~/.aptitude instead. > +userdom_manage_all_users_home_content_files(apt_t) > +userdom_manage_all_users_home_content_dirs(apt_t) > + > seutil_use_newrole_fds(apt_t) > > sysnet_read_config(apt_t) > @@ -127,6 +149,10 @@ > #') > > optional_policy(` > + pythonsupport_domtrans(apt_t) > +') This patch doesn't contain the pythonsupport_domtrans interface. > + > +optional_policy(` > # dpkg interaction > dpkg_read_db(apt_t) > dpkg_domtrans(apt_t) > diff -ruw policy/modules/admin/bootloader.fc /tmp/new-pol/modules/admin/bootloader.fc > --- policy/modules/admin/bootloader.fc 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/bootloader.fc 2008-09-29 20:15:54.000000000 +1000 > @@ -2,6 +2,15 @@ > /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) > /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) > > + > +# Debian puts grub in /usr/sbin/grub > +ifdef(`distro_debian',` > +/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) > +/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) > +/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) > +/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) > +',` > /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) > +') > /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) > /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) > diff -ruw policy/modules/admin/dmesg.te /tmp/new-pol/modules/admin/dmesg.te > --- policy/modules/admin/dmesg.te 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/dmesg.te 2008-09-29 20:15:54.000000000 +1000 > @@ -52,7 +52,9 @@ > > userdom_dontaudit_use_unpriv_user_fds(dmesg_t) > > +optional_policy(` > sysadm_use_terms(dmesg_t) > +') > > optional_policy(` > seutil_sigchld_newrole(dmesg_t) > diff -ruw policy/modules/admin/dpkg.te /tmp/new-pol/modules/admin/dpkg.te > --- policy/modules/admin/dpkg.te 2008-09-10 09:06:05.000000000 +1000 > +++ /tmp/new-pol/modules/admin/dpkg.te 2008-09-29 20:15:54.000000000 +1000 > @@ -67,6 +67,16 @@ > allow dpkg_t self:msgq create_msgq_perms; > allow dpkg_t self:msg { send receive }; > > +# This is for se_aptitude et al, so that maintainer scripts can talk back. > +apt_use_fds(dpkg_script_t) > +apt_rw_pipes(dpkg_script_t) Already in an optional_policy block. > + > +# This is for the maintainer scripts > +init_use_script_fds(dpkg_script_t) > + > +# se_apt-get needs this to run dpkg-preconfigure > +init_use_script_ptys(dpkg_t) Why are you pulling these out of their proper alphabetical order? > + > allow dpkg_t dpkg_lock_t:file manage_file_perms; > > manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) > @@ -150,7 +160,6 @@ > files_exec_etc_files(dpkg_t) > > init_domtrans_script(dpkg_t) > -init_use_script_ptys(dpkg_t) > > libs_use_ld_so(dpkg_t) > libs_use_shared_libs(dpkg_t) > @@ -167,11 +176,15 @@ > sysnet_read_config(dpkg_t) > > userdom_use_unpriv_users_fds(dpkg_t) > +allow userdomain dpkg_var_lib_t:dir list_dir_perms; > +allow userdomain dpkg_var_lib_t:file read_file_perms; Encapsulation violation: should use dpkg_read_db. > > # transition to dpkg script: > dpkg_domtrans_script(dpkg_t) > -# since the scripts aren't labeled correctly yet... > +# since the scripts are not labeled correctly yet... > allow dpkg_t dpkg_var_lib_t:file execute; > +# This is used for running config files for debconf interactions > +allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans }; > > optional_policy(` > apt_use_ptys(dpkg_t) > @@ -295,7 +308,6 @@ > auth_manage_all_files_except_shadow(dpkg_script_t) > > init_domtrans_script(dpkg_script_t) > -init_use_script_fds(dpkg_script_t) > > libs_use_ld_so(dpkg_script_t) > libs_use_shared_libs(dpkg_script_t) > diff -ruw policy/modules/kernel/devices.fc /tmp/new-pol/modules/kernel/devices.fc > --- policy/modules/kernel/devices.fc 2008-09-10 09:05:48.000000000 +1000 > +++ /tmp/new-pol/modules/kernel/devices.fc 2008-09-29 20:15:54.000000000 +1000 > @@ -1,5 +1,12 @@ > > /dev -d gen_context(system_u:object_r:device_t,s0) > +ifdef(`distro_debian',` > +# this is a static /dev dir "backup mount" > +# if you want to disable udev, you'll have to boot permissive and relabel! > +/dev/\.static -d gen_context(system_u:object_r:device_t,s0) > +/dev/\.static/dev -d gen_context(system_u:object_r:device_t,s0) > +/dev/\.static/dev/(.*)? <> > +') > /dev/.* gen_context(system_u:object_r:device_t,s0) > > /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) > diff -ruw policy/modules/kernel/files.fc /tmp/new-pol/modules/kernel/files.fc > --- policy/modules/kernel/files.fc 2008-09-10 09:05:48.000000000 +1000 > +++ /tmp/new-pol/modules/kernel/files.fc 2008-09-29 20:15:54.000000000 +1000 > @@ -252,4 +252,7 @@ > > ifdef(`distro_debian',` > /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) > +# on Debian /lib/init/rw is a tmpfs used like /var/run but > +# before /var is mounted > +/lib/init/rw -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > ') > diff -ruw policy/modules/kernel/files.te /tmp/new-pol/modules/kernel/files.te > --- policy/modules/kernel/files.te 2008-09-10 09:05:48.000000000 +1000 > +++ /tmp/new-pol/modules/kernel/files.te 2008-09-29 20:15:54.000000000 +1000 > @@ -174,6 +174,10 @@ > # > type var_run_t; > files_pid_file(var_run_t) > +ifdef(`distro_debian', ` > +# for /lib/init/rw > +typeattribute var_run_t mountpoint; > +') > > # > # var_spool_t is the type of /var/spool > diff -ruw policy/modules/services/dcc.fc /tmp/new-pol/modules/services/dcc.fc > --- policy/modules/services/dcc.fc 2008-09-10 09:06:01.000000000 +1000 > +++ /tmp/new-pol/modules/services/dcc.fc 2008-09-29 20:16:09.000000000 +1000 > @@ -5,13 +5,27 @@ > /usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) > /usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) > > +ifdef(`distro_redhat',` > /usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) > /usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) > /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) > /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) > +') > +ifdef(`distro_debian',` > +/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) > +/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) > +/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) > +/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) > +') > > +ifdef(`distro_redhat',` > /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) > /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) > +') > +ifdef(`distro_debian',` > +/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) > +/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) > +') > > /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) > /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) > diff -ruw policy/modules/services/ldap.fc /tmp/new-pol/modules/services/ldap.fc > --- policy/modules/services/ldap.fc 2008-09-10 09:06:01.000000000 +1000 > +++ /tmp/new-pol/modules/services/ldap.fc 2008-09-29 20:16:09.000000000 +1000 > @@ -1,10 +1,11 @@ > > /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) > > -/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) > - > +# Debian and Ubunto place slapd in a different location > ifdef(`distro_debian',` > /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) > +', ` > +/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) > ') This is no longer correct: Debian now has /usr/sbin/slapd. > > /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) > diff -ruw policy/modules/services/nagios.fc /tmp/new-pol/modules/services/nagios.fc > --- policy/modules/services/nagios.fc 2008-09-10 09:06:01.000000000 +1000 > +++ /tmp/new-pol/modules/services/nagios.fc 2008-09-29 20:16:09.000000000 +1000 > @@ -11,6 +11,7 @@ > /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) > > ifdef(`distro_debian',` > -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) > -/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) > +/usr/sbin/nagios.* -- gen_context(system_u:object_r:nagios_exec_t,s0) > +/usr/lib/cgi-bin/nagios.?/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) > +/usr/lib/nagios3/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) > ') > diff -ruw policy/modules/services/portmap.fc /tmp/new-pol/modules/services/portmap.fc > --- policy/modules/services/portmap.fc 2008-09-10 09:06:01.000000000 +1000 > +++ /tmp/new-pol/modules/services/portmap.fc 2008-09-29 20:16:09.000000000 +1000 > @@ -4,6 +4,7 @@ > ifdef(`distro_debian',` > /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) > /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) > +/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) > ', ` > /usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) > /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) > diff -ruw policy/modules/services/ssh.te /tmp/new-pol/modules/services/ssh.te > --- policy/modules/services/ssh.te 2008-09-27 15:27:05.000000000 +1000 > +++ /tmp/new-pol/modules/services/ssh.te 2008-09-29 20:16:09.000000000 +1000 > @@ -55,6 +55,11 @@ > init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) > ') > > +ifdef(`distro_debian', ` > +# for key blacklist related to openssl bug > + allow sshd_t usr_t:file read_file_perms; > +') > + > ################################# > # > # sshd local policy > diff -ruw policy/modules/system/init.fc /tmp/new-pol/modules/system/init.fc > --- policy/modules/system/init.fc 2008-09-10 09:06:03.000000000 +1000 > +++ /tmp/new-pol/modules/system/init.fc 2008-09-29 20:16:09.000000000 +1000 > @@ -15,6 +15,10 @@ > /etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0) > /etc/x11/startDM\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) > ') > +ifdef(`distro_debian',` > +/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/var/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +') > > # > # /dev > diff -ruw policy/modules/system/libraries.te /tmp/new-pol/modules/system/libraries.te > --- policy/modules/system/libraries.te 2008-09-10 09:06:03.000000000 +1000 > +++ /tmp/new-pol/modules/system/libraries.te 2008-09-29 20:16:09.000000000 +1000 > @@ -90,6 +90,11 @@ > > userdom_use_all_users_fds(ldconfig_t) > > +optional_policy(` > + # This is needed for apt to get and install packages silently > + apt_dontaudit_use_fds(ldconfig_t) > +') We already have apt_use_fds(ldconfig_t) > + > ifdef(`distro_ubuntu',` > optional_policy(` > unconfined_domain(ldconfig_t) > diff -ruw policy/modules/system/sysnetwork.fc /tmp/new-pol/modules/system/sysnetwork.fc > --- policy/modules/system/sysnetwork.fc 2008-09-10 09:06:03.000000000 +1000 > +++ /tmp/new-pol/modules/system/sysnetwork.fc 2008-09-29 20:16:09.000000000 +1000 > @@ -22,6 +22,9 @@ > /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) > ') > > +ifdef(`distro_debian', ` > +/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) > +') > # > # /sbin > # > diff -ruw policy/modules/system/udev.fc /tmp/new-pol/modules/system/udev.fc > --- policy/modules/system/udev.fc 2008-09-10 09:06:03.000000000 +1000 > +++ /tmp/new-pol/modules/system/udev.fc 2008-09-29 20:16:09.000000000 +1000 > @@ -10,7 +10,11 @@ > > /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > +ifdef(`distro_debian', ` > +/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) > +', ` > /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) > +') > /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) -- Martin Orr